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Abstract 

Many  applicative  programming  languages  are  based  on  the  call- by- value  lambda 
calculus.  For  these  languages  tools  such  as  compilers,  partial  evaluators,  and  other 
transformation  systems  often  make  use  of  rewriting  systems  that  incorporate  some 
form  of  beta  reduction.  For  purposes  of  automatic  rewriting  it  is  important  to 
develop  extensions  of  beta-value  reduction  and  to  develop  methods  for  guarantee¬ 
ing  termination.  This  paper  describes  an  extension  of  beta-value  reduction  and 
a  method  based  on  abstract  interpretation  for  controlling  rewriting  to  guarantee 
termination.  The  main  innovations  are  (1)  the  use  of  rearrangement  rules  in  com¬ 
bination  with  beta-value  reduction  to  increase  the  power  of  the  rewriting  system 
and  (2)  the  definition  of  a  non-standard  interpretation  of  expressions,  the  generates 
relation,  as  a  basis  for  designing  terminating  strategies  for  rewriting. 


1.  Introduction 

The  original  motivation  for  this  work  came  from  a  project  to  compile  programs 
by  transformation  to  continuation-passing  style  [Steele  1976].  This  program  trans¬ 
formation  in  its  simplest  form  tends  to  introduce  extraneous  lambda-applications. 
Instead  of  complicating  the  transformation  to  avoid  introducing  these  lambda- 
applications  it  seemed  preferable  to  use  it  in  conjunction  with  a  general  purpose 
simplifier.  The  idea  being  that  such  a  simplifier  could  be  shared  by  many  automatic 
program  manipulation  tools  as  well  as  being  useful  in  interactive  program  manipu¬ 
lation  systems.  For  example,  such  a  simplifier  can  be  used  for  optimizing  programs 
built  by  combining  many  components,  since  inlining  procedure  calls  (call  unfold¬ 
ing)  and  many  peep-hole  optimizations  are  instances  of  beta-reduction.  It  could 
also  serve  as  a  tool  for  building  semantics  directed  compilers  and  partial  evaluators. 

Our  simplifier  is  composed  of  a  reduction  system  and  a  method  for  limiting 
application  of  reductions  to  insure  termination.  The  basic  reduction  system  can  be 
used  in  combination  with  other  control  strategies  and  the  analysis  underlying  our 
method  for  limiting  reduction  should  work  for  variants  of  the  reduction  system. 

The  target  language  for  our  simplifier  is  that  of  the  lambda  calculus  [Baren- 
dregt  19S1].  The  reduction  system  consists  of  the  beta- value  (beta-v)  reduction 
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rule  together  with  two  rearrangement  rules  designed  to  create  additional  sites  for 
the  beta  rule.  The  beta-v  rule  is  the  restriction  of  the  standard  beta  conversion 
rule  to  applications  in  which  the  operand  is  a  value  expression,  e.g.  a  variable,  con¬ 
stant,  or  lambda  abstraction.  Thus  (A x.f  x)z  is  a  beta-v  reduction  site  (reducing 
to  f  z),  while  (A x.f  x)(g  z)  is  a  beta  reduction  site  but  not  a  beta-v  reduction  site. 
The  beta-v  rule  corresponds  to  call-by-value  semantics  for  a  programming  language 
and  [Plotkin  1975]  shows  that  this  rule  is  adequate  to  evaluate  closed  expressions. 
However  there  are  many  programs  that  are  equivalent  under  a  wide  class  of  obser¬ 
vations  that  cannot  be  proved  equivalent  in  the  lambda-v  calculus.  One  example 
is  the  evaluated  position  context  theorem:  C[e ]  is  equivalent  to  letja:  :=  e}C[x] 
where  C  is  any  expression  with  a  unique  hole  occurring  in  a  position  that  will  be 
evaluated  before  any  other  serious  computation  takes  place  [Talcott  1989].  The 
rearrangement  rules  of  our  reduction  system  are  corollaries  of  this  theorem  express¬ 
ing  the  fact  that  a  let-binding  (application  of  a  lambda  abstraction)  occurring  in 
the  function  position  of  an  application  or  in  the  argument  position  of  a  applica¬ 
tion  in  which  the  function  position  contains  a  value  can  be  moved  outside  of  the 
application.  Thus  (let{/  :=  g  z}Xx.f  x)y  rearranges  to  let{/  :=  g  z}(\x.f  x)y 
and  (Xx.f  x)let{g  :=  hz}Xy.gy  rearranges  to  let{<7  :=  h  z}(Xx.f  x)(Xy.g  y).  Note 
that  in  both  cases  the  expression  before  rearrangement  has  no  beta-v  reduction  site, 
while  the  expression  after  rearrangement  does  have  a  beta-v  reduction  site.  The 
rearrangement  rules  have  the  effect  of  moving  expressions  that  intervene  between 
a  function  and  its  argument  to  the  outside.  They  define  a  canonical  form  in  which 
functions  are  more  likely  to  appear  directly  applied  to  their  arguments. 

The  rearrangement  rules  by  themselves  form  a  confluent,  terminating  system. 
They  are  not  derivable  in  the  beta-v  calculus  and  hence  our  reduction  system  is 
more  powerful  than  one  based  purely  on  beta-v  reduction. 

[Moggi  1989]  introduces  the  notion  of  computational  monad  as  a  framework 
for  axiomatizing  features  of  programming  languages.  Computational  monads  acco¬ 
modate  a  wide  variety  of  language  features  including  assignment,  exceptions,  and 
control  abstractions.  An  extension  of  the  lambda-v  calculus  called  the  lambda-c 
calculus  is  presented  and  shown  to  be  valid  in  all  computational  monads.  Our  re¬ 
arrangement  rules  are  derivable  in  the  lambda-c  calculus  and  thus  are  valid  for  any 
language  whose  semantics  can  be  modeled  as  a  computational  monad. 

Writing  a  simplifier  based  on  rules  that  include  beta  reduction  is  made  difficult 
by  the  fact  that  unrestricted  application  of  these  rules  can  lead  to  infinite  reduction 
sequences.  Thus  a  strategy  is  needed  for  limiting  beta  reduction.  One  possible 
strategy  is  to  fix  a  maximum  number  of  reduction  steps  and  perform  reductions 
at  random  until  this  limit  is  reached.  This  strategy  has  the  disadvantage  that  it 
treats  all  reduction  steps  the  same  way,  rather  than  favoring  those  which  simplify 
the  expression  over  those  which  wander  aimlessly.  A  second  strategy  is  to  beta 
reduce  a  lambda-application  (A.x.e)u  only  if  the  bound  variable  x  occurs  free  at 
most  once  in  the  body  e  or  if  the  operand  v  is  atomic.  Call  this  the  reduces-size 
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strategy.  It  guarantees  that  each  beta  reduction  step  decreases  the  size  of  the  overall 
expression.  This  strategy  can  be  overly  conservative,  since  some  expressions  can  be 
simplified  only  by  first  performing  steps  which  increase  the  size  of  the  expression, 
e.g.  unfold  and  simplify.  Note  that  neither  of  these  strategies  are  confluent.  This 
is  obvious  in  the  case  of  limiting  the  number  of  steps.  To  see  this  for  the  reduces 
size  strategy  we  observe  that  for  any  lambda  abstraction  v  (Xx.Xz.(Xy.y(y  z))x)v 
reduces  to  (Xz.(Xy.y(y  z))v)  and  to  (Ax. A z.x(xz))v. 

In  this  paper  we  describe  a  new  strategy,  statically  limited  rewriting,  in  which 
we  compute  a  subset  B  of  lambda-nodes  in  the  initial  expression  such  that  any 
rewriting  of  that  expression  is  guaranteed  to  terminate  if  beta  reduction  is  restricted 
to  descendants  of  nodes  in  B.  (The  descendant  relation  is  the  natural  relation 
between  nodes  in  an  expression  and  nodes  in  the  result  of  rewriting  that  expression.) 

We  use  a  form  of  abstract  interpretation  (cf.  [Abramsky  and  Hankin  1987]) 
to  compute  a  suitable  set  B.  First  we  define  a  non-standard  interpretation  of 
expressions,  the  generates  relation  xgen  and  the  notion  of  a  set  of  lambda  nodes 
being  an  xgen-cycle.  We  then  show  that  limiting  reduction  to  descendants  of  a 
subset  of  lambda-nodes  containing  no  xgen-cycle  guarantees  termination.  Given  an 
initial  expression  einit,  xgen  is  a  relation  on  reduction  paths  and  pairs  of  lambda- 
nodes  of  einit  defined  as  follows.  Let  a  and  b  be  lambda  nodes  in  the  initial 
expression  and  let  q  be  a  reduction  sequence  beginning  with  einit .  We  say  that  a 
generates  b  in  the  final  step  of  q  (and  write  xgen (5,0,6)),  if  the  final  step  of  q  is  a 
beta-v  reduction  at  a  site  whose  operator  is  a  descendant  of  a,  and  this  reduction 
step  entails  (in  the  case  <z  ^  6)  an  increase  in  the  number  of  descendants  of  6,  or 
(in  the  case  a  =  b)  no  decrease.  We  say  a  generates  b  along  p  if  xgen (q,  a,  b)  for 
some  prefix  q  of  p.  A  set  of  lambda  nodes  ao , . . . ,  an  in  the  initial  expression  is  an 
xgen-cycle  if,  roughly,  there  is  a  reduction  sequence  along  which  a.i  generates  a,+i 
for  i  <  n  and  an  generates  ao- 

For  example  consider  the  expression 

(A1x.xx)(A2x.xx) 

where  the  superscripts  are  used  to  associate  names  with  lambda- nodes.  Here  there 
is  a  single  reduction  path  along  which  1  generates  2  and  2  generates  2.  Limiting 
beta-reduction  to  descendants  of  node  1  guarantees  termination  (after  one  step!). 
As  another  example  consider  the  expression 

(X1p.ppz)(X2  x.X3y.X4$.sx  y) 

For  this  expression  there  are  reduction  paths  along  which  1  generates  2,3,4  and 
there  are  no  other  generates  instances.  Since  there  are  no  cycles  all  reduction 
sequences  must  terminate.  Note  that  the  reduces-size  strategy  mentioned  earlier 
does  not  permit  any  reduction. 


4 


In  general  xgen  can  be  an  infinite  relation.  Thus  we  want  to  find  a  finite, 
computable  approximation  that  serves  the  same  purpose.  Using  the  methodology 
of  abstract  interpretation  we  say  that  a  relation  together  with  a  corresponding 
notion  of  cycle  is  a  safe  approximation  to  xgen  if  it  preserves  the  “no-cycles  implies 
termination”  property.  As  a  first  step  we  define  a  binary  relation  gen  on  lambda 
nodes  that  is  a  safe  finite  approximation  of  xgen  using  the  usual  notion  of  cycle 
induced  by  a  binary  relation,  gen  is  the  set  of  pairs  a,  b  such  that  for  some  reduction 
sequence  q  beginning  with  einit,  a  generates  b  in  the  final  step  of  q. 

We  are  still  not  done,  as  we  have  no  general  (uniformly  terminating)  algorithm 
for  computing  gen.  Instead  we  define  a  safe  computable  approximation  gen'  of  gen. 
The  computation  of  gen'  is  based  on  computing  upper  bounds  to  the  sets  of  nodes 
in  the  initial  expression  whose  descendants  can  occupy  certain  kinds  of  positions 
(cf.  control  flow  analysis  [Shivers  1988]  and  closure  analysis  [Bondorf  1990])  and 
on  computing  an  upper  bound  to  the  set  of  lambda  nodes  in  the  initial  expression 
that  are  “doublers”,  i.e.  have  a  descendant  with  more  than  one  free  occurrence  of 
the  bound  variable  in  the  body.  Then  gen'  is  roughly  the  set  of  all  pairs  (a,  b )  of 
lam  nodes  such  that  a  is  a  doubler  and  there  is  some  c  such  that  a  descendant  of  a 
is  applied  to  a  descendant  c,  and  a  descendant  of  b  can  become  a  subexpression  of 
a  descendant  of  c. 

In  addition  to  safety  we  need  to  show  that  the  approximations  we  have  defined 
are  non-trivial  (note  that  the  complete  binary  relation  on  lambda  nodes  is  a  safe 
but  useless  approximation).  In  both  of  the  examples  above  xgen,  gen,  and  our 
computable  approximation  gen'  give  rise  to  the  same  classification  of  cycles,  and  in 
particular  gen  and  gen'  are  non-trivial. 

To  summarize,  given  an  expression  to  simplify,  we  proceed  as  follows:  (i)  com¬ 
pute  gen';  (ii)  choose  a  set  B  with  no  gen'-cycles;  (iii)  perform  B-limited  reduction 
until  termination.  Limited  rewriting  is  in  fact  locally  confluent.  Thus  we  are  free 
to  apply  the  rules  in  whatever  order  we  like;  the  final  outcome  will  be  the  same. 

Although  usually  less  conservative  than  the  reduces-size  strategy,  the  new  strat¬ 
egy  is  sometimes  still  overly  conservative.  A  less  conservative  alternative  strat¬ 
egy,  dynamically-limited  rewriting,  is  the  following.  Instead  of  computing  gen',  we 
merely  apply  rules,  accumulating  a  relation  consisting  of  the  pairs  (a,  b)  such  that  a 
has  generated  b  in  some  step  of  the  rewriting  so  far,  and  disallowing  any  step  which 
would  cause  this  relation  to  contain  a  cycle.  The  alternative  strategy  guarantees 
termination  but  fails  to  preserve  the  confluence  property.  Nevertheless  it  may  be 
the  more  appropriate  strategy  for  a  practical  simplifier. 

Our  static  and  dynamic  strategies  have  an  analogue  in  two  approaches  to  partial 
evaluation.  The  static  strategy  corresponds  to  the  use  of  binding  time  analyis  and 
other  static  analyses  performed  to  determine  which  applications  should  be  left  to 
run  time  and  which  are  to  be  carried  out  at  partial-evaluation  time  (cf.  [Jones, 
Sestoft,  and  Spndergaard  1989],  and  [Bondorf  1990]).  The  dynamic  strategy  is 
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more  in  the  spirit  of  [Weise  and  Ruf  1990]  where  a  call  stack  is  maintained  during 
partial  evaluation  and  used  for  potential  loop  detection. 

The  rest  of  this  paper  is  organized  as  follows.  In  Section  2  syntax  and  notation 
are  described.  In  Section  3  the  rewrite  system  is  presented.  In  Section  4  the  relation 
gen  is  introduced,  two  forms  of  limited  rewriting  are  defined  and  shown  to  terminate, 
and  it  is  shown  that  one  form  of  limited  rewriting  is  confluent  while  the  other  is  not. 
In  Section  5  we  show  that  any  superset  of  the  relation  gen  is  a  safe  approximation. 
The  approximation  gen*  is  defined  and  proved  safe.  In  Section  6  we  discuss  possible 
improvements  and  related  work. 


2.  Syntax 

We  use  standard  lambda  calculus  syntax  [Barendregt  1981].  To  define  and 
analyze  reduction  rules  it  is  convenient  to  represent  expressions  as  labeled  trees 
where  each  node  of  the  tree  corresponds  to  an  occurrence  of  a  subexpression.  In 
this  section  we  define  the  set  of  expressions  and  their  representation  as  labeled  trees. 

We  assume  given  a  countably  infinite  set  Var  of  variables.  Then  the  set  Exp 
of  expressions  is  the  least  set  containing  the  variables  and  closed  under  lambda 
abstraction  and  application.  That  is,  Exp  is  the  least  set  satisfying  the  following 
equation. 

Exp  =  Var  U  AVar.Exp  U  Exp  Exp 

We  let  x,  x0,  •  •  •  range  over  Var  and  e>  e«>  •  •  •  range  over  ExP  Expressions  of  the 
form  x,  Xx.  e,  and  e\  e<i  are  called  atomic  expressions,  abstractions,  and  applications, 
respectively.  In  an  abstraction  Arc.  e,  we  call  x  the  bound  variable  and  e  the  body. 
In  an  application  t\  e2,  we  call  e\  the  operator  and  t2  the  operand.  We  let  Vxp 
be  the  set  Var  U  AVar.  Exp  of  atomic  expressions  and  abstractions;  expressions  in 
Vxp  are  called  value  expressions.  We  let  u,wo>  •  •  •  range  over  Vxp. 

Free  and  bound  variables  are  defined  as  usual  and  expressions  identical  up  to 
alpha  conversion  we  regard  as  indistinguishable.  We  write  ei{x  :=  e?}  for  the 
result  of  substituting  e2  for  all  free  occurrences  of  rr  in  e\.  Here  we  assume  that 
alpha  variants  are  chosen  “hygienically”  so  that  no  trapping  of  free  variables  occurs, 
let  {a:  :=  e0}e!  abbreviates  (Ax.ei)e0.  We  adopt  the  usual  conventions  for  disam¬ 
biguating  written  expressions,  namely  that  (1)  application. associates  left,  so  that 
e1  e2  e3  is  {t\  e2)e3,  and  (2)  the  body  of  an  abstraction  or  let  extends  as  far  right 
as  possible,  so  that  Xx.  e\  t2  is  Ax.  (ei  e.2).  Parentheses  may  be  used  to  override  the 
default  grouping  as  in  eo(ej  62)  or  (Ax.eo)  t\. 

The  tree  structure  of  an  expression  is  the  abstract  syntax  tree  modified  to  re¬ 
place  each  bound  variables  by  a  pointer  to  the  node  in  the  tree  corresponding  to 
its  binding  lambda  (cf.  [deBruijn  1972]).  Each  node  in  the  tree  structure  of  an  ex¬ 
pression  corresponds  to  a  (unique)  subexpression  occurrence.  Nodes  are  labeled  by 
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the  constructor  of  the  corresponding  subexpression  and  edges  are  labeled  by  com¬ 
ponent  selectors.  A  pointer  is  represented  by  a  path  (sequence  of  edges)  relative  to 
a  top-level  expression.  To  make  this  precise  we  define  selectors,  locations,  and  tags 
as  follows.  A  selector  is  an  element  of  the  set  {L,R,  b}.  Selectors  name  immediate 
subexpressions  of  an  expression  and  label  the  edges  of  a  tree.  B  names  the  body  of 
an  abstraction  and  L  and  R  name  the  operator  (left)  and  operand  (right)  compo¬ 
nents  of  an  application.  The  set  Loc  of  locations  is  the  set  of  finite  sequences  with 
elements  taken  from  the  set  of  selectors. 

Loc  =  {l,R,b}* 

Locations  represent  paths  or  nodes  of  a  tree  and  are  used  to  name  occurrences  of 
subexpressions.  The  set  Tag  of  tags  is  defined  by 

Tag  =  {app,  lam)  U  atx(Loc) 

Tags  label  nodes  of  a  tree.  A  nodes  tag  identifies  the  constructor  of  the  correspond¬ 
ing  subexpression  and  in  the  case  of  a  bound  variable  the  location  of  its  binding 
abstraction. 

We  let  c,  co, . . .  range  over  {l,  R,  b},  Z,  Zo, . . .  range  over  Loc,  and  Z,  to,  ■  ■  .  range 
over  Tag.  □  is  the  empty  sequence  and  selectors  are  considered  to  be  singleton 
sequences.  We  write  l.V  for  the  concatenation  of  the  sequences  Z  and  /'  and  Z.c  for 
the  extension  of  Z  by  c.  If  Z  =  Zo-Zi  then  Zo  is  called  a  prefix  of  Z. 

For  simplicity  we  will  assume  outermost  expressions  are  closed  (by  adding  lamb¬ 
das  if  necessary).  This  is  not  a  serious  restriction,  it  just  eliminates  the  need  for  a 
special  case  for  free  variables.  For  an  outermost  expression  e,  the  locations,  locs(e), 
the  subexpression  (e)i  at  location  Z  and  its  tag  tag(e,  Z)  are  defined  by  induction  on 
the  construction  of  e  as  follows. 

(top)  o  G  locs(e)  and  (e)D  =  e.  — 

(app)  If  Z  G  locs(e)  and  (e)/  =  eo  t\  then  tag(e,Z)  =  app,  Z.L,  Z.R  G  locs(e), 
(e)/.L  =  e0,  and  (e)/.R  =  ea. 

(lam)  If  Z  G  locs(e)  and  (e)/  =  \x.t§  then  tag (e,Z)  =  lam,  Z.B  G  locs(e),  and 

(e)l.B  =  eo- 

(atx)  If  Z  G  locs(e),  (e)/  =  x,  l'  is  a  prefix  of  Z,  (e)/<  =  Xx.e' ,  and  l'  is  the  longest 
such  prefix  of  Z  then  tag(e,  Z)  =  atx(Z') 

Let  Z  be  a  location  in  e.  If  Z  has  tag  lam  (i.e.  tag(e,  Z)  =  lam),  we  say  Z  is  a  lam-node 
of  e.  If  Z  has  tag  app  we  say  Z  is  a  app-node  of  e.  If  Z  has  tag  atx(Z')  we  say  that  Z 
is  an  atx-node  bound  at  Z'  in  e. 

As  an  example  let  e  —  \f.\x.fx.  The  tree  written  as  a  term  would  be 
lam(B  :  lam(B  :  app(L  :  atx(o),R  :  atx(B)))) 
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where  component  selectors  are  made  explicit  using  key-word  argument  syntax.  Fur¬ 
ther  we  have 

locs(e)  =  {□,  B,  B.B,  B.B.L,  B.B.R} 

tag(e,o)  =  lam  tag(e,  B)  =  lam  tag(e,  B.B)  =  app 
tag(e,  B.B.L)  =  atx(o)  tag(e,  B.B.R)  =  atx(B) 

The  following  basic  facts  about  the  tree  structure  of  an  expression  are  simple  con¬ 
sequences  of  the  definitions  and  will  be  used  implicitly. 

Lemma  (tree.struc): 

(app)  If  l. L  €  locs(e)  or  l. R  €  locs(e),  then  l.L  €  locs(e)  and  l.R  €  locs(e)  and 
tag(e,  l)  =  app. 

(lam)  If  /. B  6  locs(e),  then  tag(e,  l)  =  lam. 

(atx)  If  /  €  locs(e)  and  tag(e,  /)  =  atx(/'),  then  tag(e,  V)  =  lam  and  l  =  l'.l0  for 
•  some  /q. 


3.  Reduction 

An  expression  is  simplified  stepwise  by  applying  one  of  three  reduction  rules. 

(1)  (Ax.eo)ei  to_  ■ -*i  (Ax.eo  e2)ei  provided  x  is  not  free  in  e2- 

(2)  v  (( \x.  e0  )  e\ )  h- »2  (Ax.  v  eo )  e.\  provided  x  is  not  free  in  v. 

(3)  ^(Ax.  e0)u  1 — *3  e0{x  :=  u} 

fThe  stepwise  reduction  relation  e  — ♦  c'  is  the  congruence  closure  of  the  union 
of  the  three  reduction  rules  viewed  as  binary  relations.  That  is,  e  — >  e'  just  if  for 
some  (r, /)  G  {1,2,3}  x  Loc,  and  some  eo,ei  we  have  that  (e)/  =  eo,  eo  i-»  ei, 
and  e'  is  obtained  from  e  by  replacing  the  occurrence  of  eo  at  l  by  t\.  (Note  that 
this  is  replacement,  not  substitution,  and  free  variables  of  e\  may  be  trapped  by 
abstractions  above  l.)  Pairs  (r,  /)  for  r  6  {1,2,3}  and  l  €  Loc  are  called  rule 

applications.  We  write  e  ^  e'  to  make  the  rule  application  explicit  and  we  call  l 

a  site  (in  e)  for  application  of  rule  r. 

A  reduction  sequence  is  a  sequence  of  stepwise  reductions.  We  let  p,  po,  . . . , 
g,  g0,  ••  -  range  over  sequences  of  rule  applications  (r,/)  and  write  e  — P-+  e'  if  p  = 

e  =  e0,  e' =  en,  and  ei_i  -^4  e*  for  1  <  i  <  n. 

Rule  3  is  the  beta-v  reduction  rule  [Plotkin  1975].  Rules  1  and  2,  called  left- 
rearrangement  and  right-rearrangement  respectively,  would  be  superfluous  in  a  sys¬ 
tem  with  unlimited  beta-reduction  and  beta-expansion.  However  with  only  ca.ll- 
by- value  beta-reduction,  these  rules  can  create  sites  for  application  of  rule  3  which 
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would  not  otherwise  be  created.  Rearrangement  merely  rearranges  the  nodes  in  a 
tree,  while  beta-reduction  may  duplicate  some  subtrees  and  destroy  others.  The 
reduction  rules  preserve  operational  equivalence  (cf.  [Plotkin  75]).  with  respect  to 
a  call-by-value  evaluator  They  are  also  valid  in  a  wide  range  of  extensions  of  the 
basic  language  including  control  abstractions  [Talcott  1989]  and  memory  operations 
[Mason  and  Talcott  1989a, b]  and  are  valid  for  the  Ac  theory  of  [Moggi  1989]. 

Theorem  (Rearrangement  is  canonical):  The  reduction  system  generated 

by  the  rearrangement  rules  (the  reflexive  transitive  congruence  closure  of  h+j  U  t-»2) 
is  terminating  and  confluent.  Thus  every  expression  has  a  unique  normal  form  with 
respect  to  rearrangement. 

Proof  :  What  we  must  show  is 

(termination)  Every  sequence  of  rearrangements  terminates. 

(confluence)  If  eo,  e*  are  two  distinct  expressions  that  can  be  reached  from  an 
expression  e  by  sequences  of  rearrangements  then  there  is  an  expression  e2  that 
can  be  reached  from  both  eo  and  e\  by  further  sequences  of  rearrangements. 

To  prove  termination,  define  the  depth  of  a  node  as  the  number  of  lam’s  it  is 
below.  In  each  rearrangement  e  — >  e',  the  depth  of  the  app  node  at  the  rearrange¬ 
ment  site  in  e,  and  the  depths  of  each  node  in  one  of  its  subtrees,  increases  by  1, 
while  the  depths  of  all  other  nodes  remain  constant.  So  the  sum  of  the  depths  of 
all  nodes  increases  in  each  step.  But  this  sum  is  bounded  by  n  x  m,  where  n  is 
the  number  of  nodes,  and  m  the  number  of  lam  nodes,  in  t\ .  So  the  sequence  of 
rearrangements  must  be  finite. 

Since  we  have  termination,  to  prove  confluence  it  suffices  to  prove  local  conflu¬ 
ence  [Huet  1977]: 

(local  confluence)  If  eo,  ei  are  two  distinct  expressions  that  can  be  reached  from  an 
expression  e  by  a  one-step  rearrangement  then  there  is  an  expression  e2  that 
can  be  reached  from  both  eo  and  e\  by  further  sequences  of  rearrangements. 

Instead  of  proving  local  confluence  at  this  point  we  merely  note  that  local 
confluence  for  rearrangement  is  a  special  case  of  local  confluence  of  limited  rewriting 
proved  in  the  next  section.  □ 

In  order  to  analyze  properties  of  reduction  sequences,  we  need  to  be  able  to 
trace  the  ancestry  of  nodes  in  an  expression  resulting  from  applying  a  sequence  of 
reductions.  For  the  direct  application  of  a  reduction  rule  e  t— >r  e'  there  is  a  natural 
predecessor  in  e  of  each  node  in  e' .  Consider  an  application  of  rule  1.  Making  the 
relevant  tree  structure  explicit  we  have 

e  =  app1(app2(lam3(a;,  e0),  t\ ),  e2)  >->i  app2(lam3(.r,  app^eo,  e2),  )  =  e'. 

The  predecessor  of  a  node  in  the  subexpression  eo,  ej ,  or  e2  of  e'  is  the  corresponding 
node  the  subexpression  eo,  ei,  or  e2  of  e.  The  predecessors  of  the  remaining  nodes 
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of  e'  are  given  by  the  superscripts.  The  predecessor  function  for  applications  of  rule 
2  or  rule  3  is  analogous.  The  precise  definition  is  given  below.  For  beta  reduction 
this  definition  coincides  with  that  of  [Wadsworth  1978]. 

Definition  (predecessor):  Fore  e'  and  V  G  locs(e')  we  define  pred(e,  (r,  Z),  /'), 
the  (r,  Z)-predecessor  of  Z'  in  e,  as  follows.  If  Z  is  not  a  prefix  of  V  then  pred(e,  (r,  /),  V)  = 

V .  Otherwise  pred  is  given  by  the  following  tables. 

(1)  If  r  =  1  and  (e),  =  (As.e0)ex  e2  then  pred(e,  (1,  Z),  V)  =  l  is  given  by 


V 

z 

conditions 

l 

Z.L 

l.  L 

Z.L.L 

Z.L.B 

z 

Z.R.Zi 

Z.L.R.Zj 

Zi  €  locs(ei) 

Z.L.B.L./o 

Z.L.L. B.Z0 

Z0  €  locs(e0) 

Z.L.B.R.Z2 

Z.r.Z2 

Z2  G  locs(e2) 

(2)  if  r  =  2,  (e)j  =  v  ((Ax.e0)  ci)  then  pred(e,  (2,  Z),  Z')  =  Z  is  given  by 


V 

Z 

conditions 

l 

Z.R 

Z.L 

Z.R.L 

Z.L.B 

z 

Z.L.B.L.ZV 

Z.L.ZW 

lv  G  locs(u) 

Z.L.B.R.Zo 

Z.R.L. B.Z0 

Z0  €  locs(e0) 

Z.R.Zj 

Z.R.R.Zi 

Zi  G  locs(ei) 

=  3,  (e)/  =  (\x.e0) 

v  then  pred(e,  (3,  Z),  Z')  =  Z  is  given  by 

v  i 

conditions 

Z.Z0  Z.L.B.Zo 

Z0  G  locs(eo);  tag(e, Z.L.B.Zo)  ^  atx(Z.L) 

I.Iq.Iv  l.R.lv 

lv  G  locs(r);  tag(e,  Z.L.B.Zo)  =  atx(Z.L) 

The  following  lemma  is  a  direct  consequence  of  the  definitions.  It  expresses  the  key 
structural  properties  of  reductions  and  points  out  the  crucial  distinction  between 
rearrangements  and  beta  reduction. 

Lemma  (pred):  The  predecessor  function  is  1-1  and  onto  except  in  the  case  of 
a  rule  3  reduction  where  the  application  and  abstraction  nodes  of  the  reduction  site 
have  no  successors  and  nodes  of  the  value  may  have  zero  or  more  successors. 


10 


The  ancestor  function  anc  generalizes  the  predecessor  function  to  sequences  of 
reduction  steps  mapping  locations  in  the  final  expression  of  a  reduction  sequence  to 
locations  in  the  initial  expression  from  which  they  derive. 

Definition  (ancestor):  If  e  ep  and  l  <5  locs(ep)  then  an ce(p, /),  the  p- 

ancestor  in  e  of  ?,  is  defined  by  induction  on  the  length  of  p  as  follows. 

(mt)  ance(a, /)  =  / 

(nmt)  If  p  =  p',  (r,  V )  and  e  — e'  then  ance(p,  l)  =  ance(p',  pred(e',  (r,  l'))). 

If  ance(p,  l)  =  a  then  we  say  that  l  is  a  p-descendant  of  a. 

The  following  lemma  shows  that,  via  the  ancestor  relation,  tag  types  and  bind¬ 
ing  relations  are  preserved  by  reduction. 

Lemma  (tag  preservation):  Let  e  -?-*  e',  l'  €  locs(e'),  and  ance(p, /')  =  l. 
If  tag(e,  /)  €  {app,lam}  then  tage(p,  /')  =  tag(e,/).  If  tag(e,/)  =  at x(/0)  then 
tage(p, /')  =  atx(Io)  where  1'0  is  the  (unique)  location  in  e'  such  that  1'0  is  a  prefix 
of  /'  and  ance(p,  1'0 )  =  lo. 

Proof  :  An  easy  induction  on  the  length  of  the  reduction  sequence.  The  prefix 
requirement  in  the  case  of  bound- variable  tags  distinguishes  between  copies  of  the 
value  substituted  into  the  body  of  a  lambda  expression  in  rule  3.  □ 


4.  Limited  rewriting 

In  this  section  the  relation  gen  is  introduced,  two  forms  of  limited  rewriting  are 
defined  and  shown  to  terminate,  and  it  is  shown  that  one  form  of  limited  rewriting 
is  confluent  while  the  other  is  not.  Finally  we  discuss  limited  rewriting  as  a  basis 
for  a  practical  rewrite-control  strategy. 

To  simplify  the  definitions,  for  the  remainder  of  the  paper  we  fix  an  initial 
expression  einit.  A  will  denote  the  set  of  locations  in  einit  (A  =  loc*s(einit)) 
and  a,  6,  do,...  will  range  over  A.  Aiam  will  denote  the  set  of  lam  locations  in 
einit  (Aian,  =  {/  €  A  |  tag(einit)  =  lam}).  Having  fixed  einit  we  specialize  the 
ancestor  functions  to  einit  and  omit  the  subscript.  We  let  Rseq  be  the  set  of  rule 
application  sequences  starting  from  einit,  that  is,  sequences  p  such  that  einit  ~ ^  e 
for  some  e.  For  brevity,  in  situations  where  an  expression  is  required  a  sequence  p 
in  Rseq  may  be  used  to  denote  the  (unique)  e  such  that  einit  -?->  e.  In  particular 
we  will  write  tag(p,  l)  for  tag(e,  /). 

4.1.  The  gen  relation  and  limited  rewriting 

We  begin  by  defining  the  generates  relations  xgen  on  Rseq  x  Aiam  x  Aiam  and 
gen  on  Alan  x  Aiam- 
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Let  a  and  b  be  lam  nodes  in  Aiam  and  let  q  be  a  rule-application  sequence  in 
Rseq.  We  say  that  a  generates  b  in  the  final  step  of  q  (and  write  xgen(g,  a,  6)), 
if  the  final  step  of  q  is  a  rule-3  reduction  at  a  site  whose  operator  is  a  descendant 
of  a,  and  this  final  step  entails  (in  the  case  a  ^  b)  an  increase  in  the  number  of 
descendants  of  6,  or  (in  the  case  a  —  b)  no  decrease. 

Definition  (xgen):  xgen (q,a,b)  just  if  a, ft  €  Aiam,  q  £  Rseq,  and  there  are 

p,  e,e',l  such  that  q  =  p.( 3,  l )  and  (i-iii)  hold. 

(l)  Cinit  *  e  *  e 
(ii)  anc(p,  l.L )  =  a 

(hi)  nb  <n'b\ia^b  and  nb  <  n'b  if  a  =  6;  where  nb  is  the  number  of  locations  V 
in  e  such  that  an c(p,  /')  =  b  and  n'b  is  the  number  of  locations  /'  in  e'  such  that 
anc(p.(3,  /),  l1)  =  b. 

We  say  that  a  generates  b  (and  write  gen(a,  6))  if  a  generates  b  in  some  step  of 
some  reduction  sequence  beginning  with  einit  • 

Definition  (gen):  gen(a,  b)  just  if  there  is  some  q  €  Rseq  for  which  xgen(g,  a,  b ). 

We  now  define  two  forms  of  limited  rewriting. 

Definition  (R-limited  rewriting):  Given  a  relation  R  on  Aiam  x  Aiam,  we 

define  an  R-limited  rewriting  to  be  any  reduction  sequence  einit  — ♦  ei  — *  •  •  • 
starting  with  einit,  and  satisfying  the  restriction  that  a  step  in  which  some  node  a 

generates  some  node  b  is  allowed  only  if  (a,  b)  €  R.  That  is,  if  einit  >  e  *  e  is 
an  initial  segment  of  such  a  sequence  and  xgen(p.(3,  /),a,  b),  then  (a,  b)  G  R. 

Definition  (B-limited  rewriting):  Given  a  subset  B  of  Aiam  we  define  a  B- 

limited  rewriting  to  be  any  reduction  sequence  einit  — *  £\  — *  •  •  •  starting  with 
einit,  and  satisfying  the  restriction  that  a  beta  reduction  step  is  allowed  only  if  the 

operator  is  a  descendant  of  a  location  in  B.  Thus  if  einit  *  e  *  e  is  an  initial 
segment  of  such  a  sequence  then  anc(p,  Z.l)  €  B. 

4.2.  Termination  of  limited  rewriting 

In  this  subsection  we  show  that  under  suitable  conditions  each  of  the  two  forms 
of  limited  rewriting  is  guaranteed  to  terminate.  We  say  that  a  binary  relation  R  on 
a  set  X  has  no  cycles  if  there  is  no  sequence  Xq  , . . . ,  xn  of  elements  of  X  such  that 
x0  =  xn  and  R(xi,xi+i)  for  0  <  i  <  n. 

Theorem  (R-limited  rewriting  terminates):  Let  R  be  a  relation  on  Aiam  x 
Aiam  with  no  cycles.  Then  any  R-limited  rewriting  must  be  finite. 
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Proof  :  Let  ej.nit  — *  t\  — +  ...  be  an  R-limited  rewriting,  and  let  p  be  the 
corresponding  (possibly  infinite)  sequence  of  (r,l)  pairs.  Let  Rp  be  the  set  of  (a,  b ) 
pairs  such  that  a  generates  b  in  some  step  of  this  rewriting,  that  is, 

Rp  =  {(a,  b)  e  Aiam  X  Alam  |  (3g,  qi  €  Rseq)(p  =  q.qi  A  xgen (q,  a,  b))}. 

Since  R  has  no  cycles,  neither  does  Rp,  and  we  can  linearly  order  the  elements  of 
Aiam  as  a  row  a\, . . .  ,an  such  that  during  this  rewriting  each  element  of  the  row 
generates  only  elements  to  the  right  of  that  element.  That  is,  for  aj,  a*  €  Aiam  and 
q  a  finite  prefix  of  p,  if  xgen(^,  aj,ak )  then  j  <  k. 

Define  the  rearrangement  potential  for  an  expression  e  to  be  the  number  of  steps 
in  the  longest  sequence  of  rearrangements  beginning  with  e.  Since  rearrangement  is 
terminating  the  rearrangement  potential  is  always  a  natural  number,  and  decreases 
with  any  rearrangement  step. 

For  each  expression  e;  in  einit  — >  — *  . . .,  let  r,-  be  the  (n  +  l)-tuple  of 
natural  numbers  whose  first  n  components  are  the  numbers  of  descendants  in  e;  of 
<ii,...,an,  respectively,  and  whose  last  component  is  the  rearrangement  potential 
of  e{.  We  show  that  the  sequence  of  tuples  Tinit ,  ri , . . .  is  in  lexicographically 
decreasing  order.  Hence  both  the  sequence  r±n n ,  Tj , . . .  and  the  sequence  einit  — > 
e\  — »  . . .  must  be  finite. 

Suppose  e,-  — >  e,-+i  is  a  rearrangement  step.  Since  for  rearrangements  the 
predecessor  function  is  one-to-one  and  onto,  t;  and  r,+ 1  are  equal  in  their  first  n 
components.  Since  the  rearrangement  potential  decreases  in  a  rearrangement  step, 
the  last  component  of  r,-+i  is  less  than  that  of  Tj.  Suppose  — >  e,+i  is  a  beta- value 
reduction  step.  Then  the  operator  at  the  reduction  site  must  be  a  descendant  of  a 
node  aj  in  Aiam-  The  jth  component  of  must  be  less  than  that  of  r^,  and  no 
preceding  component  of  r,+i  can  be  greater  than  the  corresponding  component  of 
T{.  Otherwise,  for  q  the  prefix  of  p  corresponding  to  einit  — »  . . .  — *  e^+i  and  k  the 
offending  position  at  or  before  position  j,  we  would  have  xgen(q,  aj ,  a/^violating 
the  condition  by  which  the  elements  aj , . . . ,  an  were  ordered.  □ 

BeginNote 

From  the  proof  we  see  that  (R-limited  rewriting  terminates)  holds  for  any 
extension  of  the  beta-v  rule  by  the  addition  of  a  terminating  collection  of  rules  with 
the  property  that  application  of  one  of  these  rules  never  increases  the  number  of 
descendants  of  a  node. 

EndNote 

Corollary  (B- limited  rewriting  terminates):  Let  B  be  a  subset  of  Aiam  such 
that  the  restriction  genB  of  gen  to  B  has  no  cycles.  Then  any  B-limited  rewriting 
must  be  finite. 

Proof  :  Any  B-limited  rewriting  is  genB-limited  (since  if  there  is  a  step  which 

makes  a  rewriting  not  genB-limited,  then  the  step  must  be  a  beta  reduction  step 
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and  the  operator  at  the  reduction  site  must  be  a  descendant  of  an  element  of  B,  so 
the  rewriting  is  not  B-limited.)  Since  genB  has  no  cycles,  any  B-limited  rewriting 
must  be  finite  by  the  preceding  theorem.  □ 

4.3.  Confluence  of  limited  rewriting 

In  the  previous  section  we  showed  that  for  certain  subsets  B  of  Aiajm  B-limited 
rewriting  terminates.  In  this  section  we  show  that  for  any  subset  B  of  Aiam?  B* 
limited  rewriting  is  locally  confluent.  R-limited  rewriting,  however,  is  not  confluent. 

Theorem  (B-limited  rewriting  is  locally  confluent):  If  B  is  any  subset  of 

p  (rk,lk) 

Aiam  then  B-limited  rewriting  is  locally  confluent.  That  is,  if  einit  *  e  — 
ek  is  a  B-limited  rewriting  for  k  €  {or,  >0}  then  we  can  find  pk  and  e1  such  that 

einit  e  e*  e'  is  a  B-limited  rewriting  for  k  €  {oc,0}. 

Proof :  Assume  einit  e  e*  is  a  B-limited  rewriting  for  k  €  {or,  0).  We 

want  to  find  pk  and  e'  such  that  einit  e  ek  e  is  a  B-limited  rewriting 

for  k  e  {a,/3}.  Note  that  if  l  €  locs(e)  is  a  site  for  B  application  of  rule  3  and  V  is 
a  descendant  of  l  in  ek  then  V  is  a  site  for  B  application  of  rule  3  in  ek.  If  la  is  not 
a  prefix  of  Ip  and  Ip  is  not  a  prefix  of  la  then  la  is  a  site  for  rule  rQ  in  ep.  Ip  is  a  site 
for  rule  rp  in  ea,  and  applying  the  rules  in  either  order  gives  the  same  result  (call 

it  e').  Thus  einit  e  ek  e'  is  a  B-limited  rewriting  for  k  €  {a,0} 

and  k  the  opposite  of  k.  Thus  without  loss  of  generality  we  may  assume  that  la  is 
a  prefix  of  Ip  and  consider  three  cases  according  to  whether  ra  is  1,  2,  or  3. 

Case  1:  Let  (e)ia  =  (Ax.e0)  ei  e2.  If  Ip  is  a  location  in  e0,  ei,  or  e2  then 

application  of  the  two  rules  commutes. 


(ra,la)  (r0<l'p) 
e  — ►  ea  — ► 


and 


(r0 1^0)  ira^a)  I 

e  — >  ep  — >  e 


where  pred(ea,  Vp)  =  Ip  and  we  are  done.  Otherwise  (by  the  form  of  the  rules)  we 
have  Ip  =  la. L  and  rp  =  2  or  rp  =  3. 

Case  1.2:  t\  =  {\y.ez)e± 


(Ax.eo)  ei  e2  e-n  (Ax.eo  e2)ei 

=  (Ax.eo  e2)((Ay.e3)e4)  *-►2  (Ay. (Ax.eo  e2)e.3)e4 

(2,L) 

(Ax.eo)  ((Ay.es)  e4)  e2  “ (Ay.(Ax.e0)  63)  e4  e2 

1— (Ay. (Ax.eo)  ^3  62)^4  *  - — »  *  (Ay. (Ax.eo  e2) 63) e4 
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Case  1.3:  t\  =  v\  £  Vxp 

(Ax.e0)^i  e2  »->i  (Ax.e0  e2)  Vi  1-5-3  e0{x  :=  tq}  e2 
(Ax.e0 )  vi  e2  — >  e0  {a;  :=  ui }  e2 

Case  2:  Let  (e);Q  =  v  ((Ax.eo)  ei).  Again  if  Ip  is  a  location  in  v,  eo,  or  t\ 

then  application  of  the  two  rules  commutes  (modulo  relocation)  and  we  are  done. 
Otherwise  (by  the  form  of  the  rules)  we  have  Ip  =  la. R  and  rp  =  2  or  rp  =  3. 

Case  2.2:  t\  =(Ay.e2)e3 

u ((Ax.eo) ei)  t->2  (Ax.ue0)ei 

=  (Ax.ue0)((Ay.e2)e3)  >->2  (Ay.(Ax.ve0)e2)e3 

(2  L) 

u((Ax.e0)((Ay.e2)e3))  v ((Ay.(Ax.e0) e2) e3) 

(2  L  B) 

*->2  (Ay.v  ((Ax.e0)e2))e3  — *  (Ay.(Ax.u  e0)e2)e3 
Case  2.3:  ei  =  iq  €  Vxp 

v  ((Ax.eo)  v\ )  h-+2  (Ax.v  eo)  Vi  5-5-3  u  eo{x  :=  Ui}  */,  since  x  £  FV(u) 
u((Ax.e0)ui)  i->3  v  (e0{x  :=  iq}) 


Case  3:  We  use  the  following  standard  lemmas. 

/•\  (r,l)  !  f  *.  (r,l)  . 

(l)  e  — >  e  =>  e{x  :=  v\  — *•  e  (x  :=  v\ 


(ii)  v  v'  =>•  e{x  :=  u}  e{x  :=  u'}  where /i,  is  a  list  of  the 

locations  of  free  occurrences  of  x  in  e. 


Let  ( e)/a  =  Ax.eo  v.  Then  Ip  must  be  a  location  in  eo  or  v  and  the  result  follows 
from  the  lemmas  (i)  and  (ii)  respectively.  □ 

Corollary  (B-limited  rewriting  is  canonical):  Each  expression  einit  has  a 
unique  simplified  form  with  respect  to  B-limited  rewriting  for  any  B  C  Aiam  such 
that  genB  contains  no  cycles. 


BeginNote 

One  might  suppose  that  R-limited  rewriting  is  canonical  for  any  R  C  Aiam  x 
Aiam  with  no  cycles.  This  conjecture  is  false.  For  example,  take 


einit  =  (A1z.(A2x.xx)(A3p.z))(A4w.w) 


and  R  =  {(2,3)}.  There  are  two  choices  for  the  first  step  of  R-limited  reduction, 
and  the  resulting  expressions  have  no  common  reachable  expression. 
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EndNote 

4.4.  Strategies  for  controlling  rewriting 

The  results  of  this  section  suggest  the  following  strategies  for  controlling  rewrit¬ 
ing. 

(1:  Statically-limited)  Compute  gen,  choose  a  maximal  subset  B  of  Aiam  with  no 
gen-cycles,  and  perform  B-limited  rewriting  until  termination. 

(2:  Dynamically-limited)  Instead  of  computing  gen,  merely  apply  rules,  accumulating 
information  about  the  xgen  relation  as  the  set  of  pairs  (a,  6)  such  that  a  has 
generated  b  in  some  step  of  the  rewriting  so  far,  and  disallowing  any  step  which 
would  cause  this  relation  to  contain  a  cycle.  Since  any  reduction  sequence  gen¬ 
erated  by  this  method  is  R-limited  for  some  R  with  no  cycles,  no  infinite 
reduction  sequence  can  be  generated. 

The  first  strategy  has  some  obvious  advantages.  First,  it  is  fully  specified  in  the 
sense  that  it  terminates  with  the  same  final  result  regardless  of  the  order  in  which 
rules  are  applied.  This  means  that  it  is  simpler  to  analyze.  Another  advantage  of 
strategy  (1)  is  that  it  does  not  require  computing  generation  pairs  (a,  b)  at  each 
beta  reduction  step.  In  practice,  since  we  have  no  algorithm  for  computing  gen, 
strategy  (1)  will  be  implemented  using  some  safe  approximation  gen'  of  gen.  One 
such  approximation  is  described  in  the  next  section. 

Let  us  say  that  one  rewrite-control  strategy  is  always  as  powerful  as  another  if 
every  reduction  sequence  allowed  by  the  first  is  allowed  by  the  second.  Otherwise 
we  say  that  the  first  is  sometimes  less  powerful  than  the  second  (and  the  second 
sometimes  more  powerful  than  the  first).  It  is  interesting  to  compare  the  power 
of  strategies  (1)  and  (2)  with  that  of  the  reduces-size  strategy  mentioned  in  the 
introduction. 

Both  of  the  strategies  (1)  and  (2)  are  sometimes  more  powerful  than  the 
reduces-size  strategy  (for  example  consider  the  second  example  given  in  the  intro¬ 
duction).  Reduces-size  rewriting  is  identical  with  R-limited  rewriting  with  R  the 
empty  relation.  So  strategy  (2)  is  always  as  powerful  as  the  reduces-size  strategy. 

Strategy  (1)  is  sometimes  less  powerful  than  the  reduces-size  strategy.  For 
example  if  the  initial  expression  is 

let1  {/  :=  A3y.let4{x  :=y}let5{u>  :=  x}ww}f\2z.f 

then  gen  includes  the  cycle  4  — >  4.  (To  see  this,  reduce  the  application  of  1;  then 
reduce  leftmost  applications  of  3,  5,  and  4.  Node  4  generates  itself  in  the  last  step.) 
This  means  that  our  choice  of  B  for  statically-limited  rewriting  cannot  include 
node  4.  Thus,  statically-limited  rewriting  will  not  allow  reduction  of  4- applications. 
However  the  reduces-size  strategy  allows  reduction  of  a  4-application  as  the  first 
step. 
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5.  Estimating  the  gen  relation 

We  defined  a  relation  gen  on  Aiam  the  set  of  lambda  nodes  of  a  given  initial 
expression  e^it  and  showed  that  if  a  subset  B  of  Ai^  contains  no  gen-cycles 
then  B-limited  rewriting  from  einit  terminates.  As  it  stands,  this  result  is  of 
little  use,  since  we  have  no  algorithm  to  compute  the  relation  gen  for  an  arbitrary 
expression  einit .  Instead  we  will  define  a  computable  relation  gen'  which  is  a  safe 
approximation  to  gen.  We  say  that  gen'  is  a  safe  approximation  to  gen  if  whenever 
a  subset  B  of  Aiam  has  no  gen'  cycles  then  it  has  no  gen  cycles.  Thus  we  can  safely 
use  gen'  to  choose  the  subset  B  for  limited  rewriting. 

Lemma  (gen.safe):  If  gen'  is  a  relation  on  Aiam  x  Aiam  that  is  a  superset  of 
gen  (gen(a,  b )  =>•  gen'(a,  b ))  then  gen'  is  a  safe  approximation  of  gen. 

In  this  section  we  define  a  computable  relation  gen'  that  is  a  superset  of  gen 
for  any  given  einit.  The  development  for  our  algorithm  for  calculating  gen'  was 
based  on  the  following  intuitions. 

(1)  Nodes  (atomic  expression  nodes,  application  nodes,  and  lambda  nodes)  axe 
considered  to  maintain  their  identity  as  reduction  proceeds. 

(2)  Each  application  node  has  two  hooks,  and  each  lambda  node  one  hook,  to 
which  the  root  nodes  of  subexpressions  are  attached.  During  reduction  the 
node  attached  to  a  given  hook  may  be  removed  and  a  new  node  attached. 

(3)  One  can  simultaneously  determine  for  every  hook  an  upper  bound  on  the  set 
of  lam  or  atx  nodes  which  can  ever  become  attached  to  that  hook,  in  the 
following  way.  We  know  the  node  initially  attached  to  each  hook.  There  are 
only  two  ways  a  given  hook  can  get  a  new  node:  (a)  when  a  lambda-application 
app1(lam2(el),  e2)  is  reduced,  each  hook  within  lam2(el)  to  which  a  variable- 
node  bound  by  lam2  is  attached  gets  (a  copy  of)  the  node  currently  attached  to 
the  right-hand  hook  of  appr  (b)  when  the  above-mentioned  reduction  occurs, 
the  hook  to  which  the  node  app1  is  attached,  gets  the  node  attached  to  the 
hook  of  lam2.  To  simultaneously  build  the  upper- bound  set  of  nodes  for  every 
hook,  we  proceed  as  follows.  Each  node-set  initially  contains  zero  or  one  node. 
If  there  is  an  app  node  whose  left  hook  nocle-set  contains  lam1  and  whose  right 
hook  node-set  contains  node  n  then  add  n  to  the  node-set  of  each  hook  whose 
node-set  contains  an  atx  node  bound  by  lam1,  and  to  the  node-set  of  the  hook 
to  which  this  app  is  originally  attached,  add  all  elements  in  the  node-set  of  the 
hook  of  lam*. 

(4)  By  analogous  methods  we  can  determine  upper  bounds  for  the  set  of  lam  nodes 
which  are  “doublers”  (a  lam  node  with  some  descendent  that  contains  more 
than  one  occurrence  of  the  bound  variable  in  the  body)  and  for  the  set  of  pairs 
(ni ,  7?2 )  of  atx  or  lam  nodes  such  that  node  ti?  can  occupy  a  position  at  or 
below  n\  (so  that  attaching  nj  to  a  given  hook  “can  bring”  node  ri2  along  with 
it).  Finally  we  compute  gen'  as  the  set  of  all  pairs  (ni,n2)  of  lam  nodes  such 
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that  n\  is  a  doubler  and  n\  is  in  the  node-set  of  the  left  hook  of  an  app  node 
whose  right  hook  node  set  includes  a  node  which  can  bring  n2. 

To  compute  gen'  we  first  define  auxiliary  relations  get,  doubler,  and  canbring 
expressing  the  key  features  in  the  clauses  of  the  definition  of  gen  and  show  that 
gen  is  approximated  by  a  simple  combination  of  these  relations.  We  then  define 
computable  relations  get',  doubler',  and  canbring'  that  are  safe  approximations 
(supersets)  of  get,  doubler,  and  canbring  respectively,  gen'  is  then  defined  to  be 
the  corresponding  combination  of  the  approximations  to  the  auxiliary  relations. 

As  motivation  we  begin  with  a  lemma  (gen.char)  characterizing  gen.  This 
lemma  states  that  gen(a,  b )  holds  just  if  there  is  some  rewriting  e  of  einit  with 
a  site  for  application  of  the  beta-v  rule  such  that  the  ancestor  of  the  abstraction 
component  is  a,  the  bound  variable  of  that  abstraction  occurs  at  least  twice  in  the 
body,  and  there  is  a  location  within  the  value  component  with  ancestor  b. 

Lemma  (gen.char):  gen(a,  b)  just  if  a,  b  <E  Aiam  and  there  are  p,  Z,  e,  e' ,  Iq ,  l\ ,  Z2 
such  that 

(l)  Cinit  *  e  ®  1 

(ii)  anc(p,  Z.L)  =  a  and  anc(p,  Z.R.Zo )  =  Z>, 

(iii)  h  7^  h  and  tag(p,  Z.L.Zi)  —  tag (p,  Z.L.Zi )  =  atx(Z.L). 

Proof  :  The  if  direction  is  trivial.  For  the  onlyif  direction,  assume  gen(a,  b)  and 

let  p,  Z,  e,  e'  be  such  that  einit  e  e',  anc(p,  Z.L)  =  a,  and  (in  the  case  a  =  b) 
nb  <  n'b  or  (in  the  case  a  ±  b)  nb  <  n'b\  where  nb  is  the  number  of  locations  V 
in  e  such  that  anc(p,/')  =  b  and  n'b  is  the  number  of  locations  V  in  e'  such  that 
anc(p, l')  =  b.  If  there  is  no  Zo  such  that  anc(p, Z.R.Zo)  =  b  or  if  tag(p, Z.L.Zi)  = 
tag(p,  Z.L.Z2)  =  atx(Z.L)  implies  Za  =  Z2  then  (since  the  subexpression  at  b  is  not  a 
variable)  b  ^  a  implies  nb  =  nb  and  b  =  a  implies  nb  >  n'b.  Thus  we  can  find  Z0,  h ,  Z2 
such  that  anc(p,  Z.R.Zo)  =  b,  Zi  ^  Z2,  and  tag(p,  Z.L.Zi)  =  tag(p,  Z.L.Z2)  =  atx(Z.L).  □ 

get  is  a  relation  on  A  x  {l,  R,  b}  x  A  such  that  for  locations  a,  b  in  the  initial 
expression,  get(a,  c,  Z>)  means  that  there  is  a  rewriting  p  of  einit  such  that  there  is 
a  p-descendant  of  a  with  a  p-descendant  of  b  immediately  below  it  along  a  c  edge. 

Definition  (get):  get (a,c,b)  just  if  a,  b  €  A,  c  €  {l,R,.b},  and  there  is  some 

p,  Z,  e  such  that  einit  e,  an c(p,  Z)  =  a,  and  anc(p,  Z.c)  =  b. 

canbring  is  a  relation  on  A  x  A  such  that  if  canbring(ai,a2)  then  ai  and  a2 
are  lam-nodes  and  there  is  a  rewriting  p  of  einit  such  that  there  is  a  p-descendant 
of  ai  which  is  in  a  “potential  operand”  location  (a  location  ending  with  R  or  b), 
and  which  has  p-descendant  of  a2  below  it. 

Definition  (canbring):  Forai,a2  €  A  canbring(ai,a2)  just  if  tag(einit>°i)  = 
tag(einit ,  o2)  =  lam  and  there  are  p,  Z,  c,  Zo,  h  such  that  c  €  {R,  b)  such  that 
anc(p,  Z.c)  =  «i  and  anc(p,  Z.c.Zo)  =  «2- 
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For  a  node  a  in  the  initial  expression,  doubler(a)  means  that  a  is  a  lam-node 
and  that  there  is  a  rewriting  p  from  e^it  such  that  a  p-descendant  of  a  has  more 
than  one  occurrence  of  its  bound  variable  in  its  body. 

Definition  (doubler):  For  a  €  A,  doubler(a)  just  if  there  are  p, such 
that  l\  7^/2,  anc (p, /)  =  a,  tag(p, /)  =  lam,  tag(p,  l.li)  =  tag(p,  I.I2)  =  at x(/). 

Approximations  to  gen  can  be  factored  into  approximations  of  get,  canbring, 
and  doubler  using  the  following  theorem. 

Theorem  (gen. approx):  If  gen(a,  b )  then  doubler(a)  and  there  are  a0,ai  €  A 

such  that  get(ao,L,a),  get(ao,  R,  ai),  and  canbring(ai ,  b). 

Proof  :  A  direct  consequence  of  (gen. char).  □ 

5.1.  Approximating  the  factors  of  gen 

The  approximations  get',  canbring',  and  doubler'  are  defined  inductively  as 
the  least  relations  satisfying  certain  conditions  (sets  of  clauses).  The  clauses  were 
determined  systematically  by  seeing  what  was  needed  to  carry  through  a  proof 
of  safeness  by  induction  on  the  rewriting  p  that  occurs  in  the  definitions  of  the 
corresponding  exact  relations.  The  base  case  is  p  =  □  and  the  corresponding  clause 
was  obtained  by  instantiating  the  formula  defining  the  exact  relation  with  p  =  □.  For 
p  non-empty  we  consider  the  last  rule  applied,  assume  safeness  for  shorter  rewritings, 
and  analyze  the  possible  relations  between  the  location  of  the  rule  application  and 
the  locations  mentioned  in  the  definition  of  the  exact  relation.  The  labels  of  the 
clauses  in  the  definitions  of  get',  canbring',  and  doubler'  below  reflect  this  case 
analysis  which  is  given  in  more  detail  in  the  proofs  of  safeness.  For  the  definitions  we 
need  one  additional  auxiliary  relation  isval  on  A  which  is  true  for  value  locations 
in  the  initial  expression. 

Definition  (isval):  isval(a)  <=$>  (einit )a  €  Vxp 

Lemma  (isval):  isval(a)  just  if  tag(einit, a)  =  lam  or  t ag( einit, a)~=  atx(fe) 

for  some  b  in  Aiam- 

5.1.1.  Approximating  get 

Definition  (getp):  get'  is  the  least  relation  on  A  x  {l,R,  b}  x  A  such  that 
(mt)  get'(a,  c,  a.c) 

(1.1)  get'(a,c,ao)  A  get'(ao,L,6)  A  get'(6,L,ai)  A  tag^cq)  =  lam 

=>  get'(a,c,6) 

(1.2)  get'(6,L,ao)  A  get'(<zo,L,a)  A  tag(o,a)  =  lam  =*>  get'(a,B,&) 

(1.3)  get'(a, L, a-o)  A  get'(a0, L, ai)  A  get'(ai,B,&)  =*>  get'(a,L,b) 

(2.1)  get'(u,c,a0)  A  get'(a0,R,  b)  A  get'(a0,  L,  ci\ )  A  isval(ai  ) 
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A  get'(6,L,a2)  A  tag(ci,a2)  =  lam  =>  get'(a,c,Z>) 

(2.2)  get'(6,L,a0)  A  isval(a0)  A  get'(&,R,ai)  A  get'(ai,L,a)  A  tag(o,a)  =  lam 

=>  get'(a,  B,b) 

(2.3)  get'(a,R,a0)  A  get'(a0, L, ai)  A  get'(ai,B,6)  A  get'(a,L,a2)  A  isval(a2) 

^  get'(a,  R,6) 

(3.1)  get'(a,c,a0)  A  get'(a0,L,ai)  A  get'(ai,B,&)  A  get'(a0,  R,  a2)  A  isval(a2) 

=£>  get  (o,  c,  6) 

(3.2)  get'(a,c,a0)  A  get'(a0,R,&)  A  isval(6)  A  get'(a0,  L,  ai)  A  get'(ai,  B,  a2) 

A  tag(o,a2)  =  atx(ai)  =*  get'(a,c,6) 

(3.3)  get'(ao,R, b)  A  isval(6)  A  get'(o0, L, ai)  A  get'(a, c, a2) 

A  tag(a,  a2)  =  atx(aj)  =>  get'(a,c,  b) 

Theorem  (getp):  get (a,c,b)  =*•  get'(a,c,  b) 

Proof  :  We  show  by  induction  on  p  that  anc(p,  l)  =  a  and  anc(p,  l.c )  =  b  implies 
get '(a,c,b).  If  p  is  empty  the  result  follows  from  clause  (mt)  of  the  definition  of 

get;.  Assume  p  =  po,(r,lo)  and  einit  t  — — » ►  t' .  If  r  =  1  there  are  three  cases 
of  interest:  (1.1)  l.c  =  /o;  (1.2)  l  =  Iq.L  A  c  =  B;  and  (1.3)  l  =  lo.L.B  A  c  =  L. 

If  r  =  2  there  are  three  cases  of  interest:  (2.1)  l.c  =  Iq ;  (2.2)  l  =  lo-B  A  c  =  B; 
and  (2.3)  l  —  /o-L.B  A  c  =  R.  If  r  =  3  there  are  three  cases  of  interest:  (3.1) 
l.c  =  l0  A  tag(p0, lo-L.B)  ^  atx(Z0.L);  (3.2)  l.c  =  l0  A  tag(p0, Z0.L.b)  =  atx(Z0.L); 
and  (3.3)  l  =  l0.li  A  tag(p0, Zo-L.B .h.c)  =  atx(/0.L)  A  tag(p0, /0.L.B)  ^  atx(Z0.L).  In 
each  of  these  cases  we  use  the  corresponding  clause  in  the  definition  of  gen'.  For  all  of 
the  remaining  possible  positions  of  l  relative  to  lo  we  have  anc(p,  l )  =  anc(po,  l1)  =  u 
and  anc(p,  l.c)  =  an c(p0,Z'.c)  =  b  where  V  =  pred(e,(r,Z0),Z).  Hence  by  induction 
we  are  done.  □ 

5.1.2.  Approximating  canbring 

The  definition  of  canbring  is  in  fact  too  restrictive  to  allow  us  to  express  the 
conditions  we  need  in  constructing  the  approximations  canbring'  and  doubler'. 
This  is  because  we  want  to  express  not  only  the  possibility  of  one  lambdamode 
appearing  below  another,  but  also  the  possibility  of  a  variable-node  appearing  be¬ 
low  a  lambda- node.  To  solve  this  problem  we  define  a  larger  relation  canbring*. 
canbring*  (ai ,  a2 )  holds  if  either  canbring(ai ,  a2)  or  a\  is  a  value  node,  a2  is  an 
atx-node,  and  there  is  a  rewriting  p  of  einit  such  that  there  is  a  p-descendant  of  a2 
which  has  a  p-descendant  of  ai  between  it  and  its  binding  location. 

Definition  (canbring*):  For  Gi , «2  €  A  canbring(cii,  a2)*  just  if  canbring(ai,a2) 
or  isval(ai)  and  there  are  p,  Z,  c,  Iq ,  l\  such  that  c  €  (R,  b}  and  anc(p,  I.Iq.c)  =  «i , 
anc(p,  I.Iq.c.Ii)  =a2,  and  tag(p,  a2)  =  atx(Z). 
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Lemma  (canbring*):  canbring(ai , 02)  =>  canbring*(ai, a^). 

Definition  (canbringp):  canbring'  is  the  least  relation  on  A  x  A  such  that 

(mt.i)  Gi  =  l.c  A  c  G  {R, b}  A  02  =  cii-h  A  tag(o, ai)  =  tag(o, 02)  =  lam 
canbring'(ai,a2) 

(mt.ii)  ai  =  Z.Zi.c  A  isval(ai)  A  cG  {R,  b}  A  a2  =  01-/2  A  tag(o,  a2)  =  atx(Z) 
canbring,(ai,a2) 

(3)  get'(a0, R, a4)  A  get'(a0,L,a3)  A  canbring'(a4,a2)  A  canbring'(ai ,  a5) 

A  tag(o, ai)  =  lam  A  tag(o,  05)  =  atx(a3)  canbring'(ai ,  02) 


Theorem  (canbringp):  canbring^, 02)  =>  canbring'(ai,a2) 

Proof :  We  will  show  that  canbring*(ai,  a2)  implies  canbring'(ai , 02)-  For  this, 

we  show  by  induction  on  p  that 

(i)  tag(o,  ai)  =  tag(D,  <22)  =  lam,  anc(p,  l.c)  =  a\,  anc(p,  Z.C.Z2)  =  02,  and  c  € 
{R,  b}  implies  canbring'(ai,a2). 

(ii)  anc(p,  Z.Zi.c)  =  cti,  isval(ai),  anc(p,  Z.Z1.C.Z2)  =  02,  tag(p,  I.I1.C.I2)  =  at x(Z), 
and  c  €  {r,  b}  implies  canbring'(ai,a2). 

If  p  is  empty  the  result  follows  from  clauses  (mt.i,ii)  of  the  definition  of  canbring'. 

Assume  p  =  p0,(r,  Z0 )  and  einit  e  e'.  If  r  G  {1,2}  then  for  all  allowed 
positions  of  Z  relative  to  Zo  the  result  follows  by  induction.  If  r  =  3  then  the  only 
interesting  case  is  pred(e,  (r,  Zo),  l.c)  =  Zo.L.B.Z J  and  pred(e,  (r,  Zo),  I.C.I2)  =  lo.B..l'2 
for  some  l[,l2.  Then  (i)  and  (ii)  both  follow  from  clause  (3)  of  the  definition  of 
canbring'.  □ 

5.1.3.  Approximating  doubler 

Definition  (doublerp):  doubler'  is  the  least  relation  on  A  such  that 

(mt)  Zi  7^/2  A  tag(cj, a.B.li)  =  tag(o, a.B^)  =  atx(a)  =>  doubler'(a) 

(3)  doubler'(ai)  A  get'(ao,  L, «] )  A  get'(a0,  R,  02)  A  canbring'(a2, 03) 

A  tag(o,  03)  =  atx(o)  =>  doubler'(o) 


Theorem  (doublerp):  doubler(a)  =*>  doubler'(a) 


Proof :  We  show  by  induction  on  p  that  anc(p,  Z )  =  a,  Zi  7^/2,  and  tag(p,  Z.B.Zi)  = 
tag(p,  I.B.I2)  =  at x(/)  implies  doubler'(a).  Assume  l\  ^  I2,  anc (p,  Z)  =  a  and 
tag(p,  l.B.li)  =  tag(p,  I.B.I2)  =  atx(Z).  If  p  is  empty  the  result  follows  from  the 


(r  Jo) 


clause  (mt)  of  the  definition  of  doubler'.  Assume  p  =  po, (r,  Zo)  and  einit  — — e 
e'.  If  pred(e,  (r,  Z0),  Z.B.Zi )  ^  pred(e,  (r,  Z0),  Z.B.Z2)  then  anc(p,  Z),  (p0,  pred(e,  (?•,  Z0 ),  Z)), 
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and  a  are  equal.  Also  tag(po?Pr®d(e,  (r.Zo),  /.B./j)),  atx(pred(e,  (r,  Zo), /)),  and 
tag(p,  l.B.lj)  are  equal  and  the  result  follows  by  induction.  Thus  we  may  assume 
r  =  3,  /  is  a  proper  prefix  of  Zo,  pred(e,  (r,  /o),  l.B.li)  —  pred(e,  (r,  /0),  l.B.l2)  = 
for  some  Z',  and  the  result  follows  from  clause  (3)  of  the  definition  of  doubler'.  □ 

5.2.  Approximating  gen 

Definition  (genp):  gen  '(a,  6)  just  if  a,  6  €  Aiam  and  for  some  ao,ai  €  A 

doubler'(a)  A  get'(a0,L,a)  A  get'(a0,R,«i)  A  canbring '(a2,b). 

Theorem  (genp):  gen  (a,b)  =4>  gen'(a,  b) 

Proof  :  An  easy  consequence  of  (gen.char).  □ 

5.3.  Usefulness  of  the  approximation 

We  would  like  to  think  of  the  computable  definition  of  gen'  as  a  program 
satisfying  a  two-part  specification:  (1)  gen'  is  safe;  (2)  gen'  is  useful.  Formalizing 
notions  of  safety  is  well-understood,  but  formalizing  notions  of  usefulness  is  an  open 
problem.  At  the  present  we  have  only  some  miscellaneous  criteria,  described  in  this 
section. 

One  criterion  of  usefulness  is  non-triviality:  the  requirement  that  there  ex¬ 
ists  some  expression  einit  for  which  gen'  is  smaller  than  the  trivial  approximation 
Aiam  x  Aiam-  As  mentioned  earlier,  our  definition  of  gen'  satisfies  this  criterion. 

Another  criterion  is  to  require  that  the  program  for  gen'  compute  gen  exactly 
on  some  test  suite  of  interesting  expressions.  A  finite  test  suite  is  hardly  a  specifi¬ 
cation,  since  a  trivial  program  modified  to  handle  the  test  suite  examples  as  special 
cases  would  satisfy  the  specification.  However  a  good  test  suite  can  be  useful  in 
identifying  problems  with  the  approximation. 

Another  possibility  would  be  to  require  that  gen'  =  gen  for  certain  infinite  sets 
of  expressions.  For  example,  our  definition  of  gen'  agrees  with  gen  on  expressions 
that  contain  no  doublers  initially. 

Lemma  (no.doubler):  If  einit  contains  no  doublers  then  gen  and  gen'  are 

empty. 

Proof  :  Assume  tag(einit,  h)  =  tag(einit,/i)  =  atx(Z)  implies  h  =  l2  for 

I1J2J  €  locs(einit).  By  safeness  it  suffices  to  show  that  gen'  is  empty.  Show 
by  contradiction  that  - 'doubler'(a)  for  a  £  Aiam-  Choose  a  €  Aiam  with  miminal 
derivation  of  doubler'(a).  The  last  rule  applied  cannot  be  (mt)  by  hypothesis.  The 
last  rule  applied  cannot  be  (3)  by  minimality.  □ 
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6.  Towards  a  general  purpose  simplifier 

The  ultimate  goal  of  this  work  is  to  develop  simplifiers  which  are  of  practical 
use  as  as  automatic  program  manipulation  tools.  The  work  presented  here  pro¬ 
vides  a  foundation  for  developing  general-purpose  expression  simplifiers.  We  have 
extended  the  beta-v  reduction  rule  by  adding  rearrangememt  rules  that  substan¬ 
tially  increase  the  simplification  power.  These  rules  remain  valid  for  a  wide  range  of 
extensions  of  the  lambda  calculus  by  primitive  operations  to  permit  embedding  of 
traditional  programming  languages.  We  have  seen  that  there  are  trade-offs  between 
maintaining  confluent  systems  and  increasing  simplification  power.  What  remains 
to  be  done  is  to  work  out  a  variety  of  substantial  examples  to  test  the  practical  ap¬ 
plicability  of  the  various  strategies  and  to  determine  what  are  the  limiting  factors 
in  practical  situations.  In  this  section  we  discuss  potential  deficiencies  and  possible 
improvements  of  our  analysis. 

6.1.  Approximating  gen  more  accurately 

Although  for  some  expressions,  the  computed  gen'  estimates  gen  exactly,  there 
are  other  some  expressions  where  the  approximation  is  poor.  For  example  if 

einit  =  X1  a. \2times. let3 {tivice  :=  X5 f.X6x.f  (f  x)} 

let4{sgr  :=  A'  x. times  x  r} 
twice  twice  sqr  a 

then  gen  =  {3  — ►  5,6;  5  — *  5;  4  — >  7}  but  gen'  =  {3  — >  5, 6;  4  — *  4, 5, 6, 7;  5  — > 

4,5,6,  7;  6' — »  4,5, 6,7;  7  — >  4,5,6, 7}.  (Here  3  — >  5, 6  abbreviates  (3, 5),  (3, 6), 
and  so  on.)  Thus  the  set  B  cannot  include  any  of  4, 5, 6, 7  and  statically-limited 
rewriting  is  unable  to  fully  simplify  the  expression. 

One  way  to  improve  the  simplifier  is  to  more  accurately  approximate  gen. 
This  can  be  done  systematically  as  follows.  For  a  given  expression,  define  relations 
xdoubler(p,  l,  a),  xget (p,  /,  a\ ,  c,  <12 ),  and  xcanbring(p,  /,  a\ ,  a 2 )  which,  unlike  their 
finite  counterparts,  completely  describe  the  rewrite  history  and  location  where  the 
relationship  occurs.  A  set  of  rules  can  be  given  which  define  those  relations  simul¬ 
taneously  by  induction  on  p.  The  finite  (though  perhaps  uncomputable)  relation 
gen  can  be  defined  exactly  in  terms  of  these  three  potentially  infinite  relations. 

To  approximate  gen,  we  choose  a  function  /  assigning  each  pair  (p,  l)  in  Rseq  x 
Loc  a  representation  s  from  a  finite  set  S.  We  then  define  finite  but  not  necessar¬ 
ily  computable  relations  ydoubler(s,  a),  yget(s,  a\ ,  c,  0.3),  and  ycanbring(s,  ,  «2 ) 
such  that  the  tuple  (s,a)  is  in  ydoubler  just  if  (p,  /,  a\ ,  02)  is  in  xdoubler  for  some 
p,  l  such  that  /(p,  l)  =  s,  and  likewise  for  yget  and  ycanbring.  Finally,  we  apply  / 
to  the  inductive  rules  defining  xdoubler,  xget  and  xcanbring  to  obtain  rules  defin¬ 
ing  computable  relations  ydoubler',  yget'  and  ycanbring'  which  are  guaranteed 
to  be  supersets  of  ydoubler,  yget  and  ycanbring. 
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The  value  5  in  a  tuple  (5,  a)  satisfying  ydoubler  is  a  partial  history  telling 
how  node  a  becomes  a  doubler.  In  this  paper  we  took  S  to  be  a  one-element  set, 
throwing  away  the  history  so  that  doubler  could  play  the  role  of  ydoubler  (and 
similarly  for  get  and  canbring)  By  keeping  more  history  information,  it  should  be 
possible  to  approximate  gen  with  arbitrary  accuracy;  the  only  drawback  would  be 
the  increased  cost  of  the  calculation.  This  approach  is  similar  the  use  of  procedure 
strings  and  their  abstractions  in  the  inter-procedural  analysis  of  Scheme  programs 
[Harrison  1989]. 

6.2.  Alternate  non-standard  interpretations 

gen  is  itself  an  approximation  to  the  information  contained  in  the  xgen  rela¬ 
tion.  Forgetting  the  path  along  which  one  node  generates  another  when  computing 
generates  cycles  introduces  ficticious  cycles  —  it  is  possible  that  xgen (p,  a,  b )  and 
xgen (q,b,a)  hold,  but  never  along  the  same  path.  Note  that  this  sort  of  loss  of 
information  is  avoided  by  the  dynamically- limited  strategy.  Thus,  one  could  look 
for  better  approximations  to  xgen  (that  would  enable  statically-limited  rewriting  to 
subsume  more  of  the  simplifications  allowed  by  dynamically-limited  rewriting.  In 
the  example  of  the  previous  section,  xgen  has  a  cycle  although  all  rewritings  from 
the  given  initial  expression  terminate.  Thus  one  might  also  look  for  an  alternative 
non-standard  interpretation  corresponding  to  a  different  analysis  of  the  cause  of 
non-termination. 

6.3.  Preserving  context  information 

We  separated  simplification  from  the  continuation-passing  transformation  in 
order  to  simplify  the  basic  transformation  and  to  develop  a  generic  simplifier  that 
could  be  shared  among  a  variety  of  program  manipulation  tools.  Of  course  this 
means  loss  of  information.  For  example  a  continuation-passing  transformer  can 
carry  out  beta  reductions  based  on  knowledge  about  whether  the  application  came 
from  the  original  program  or  was  introduced  by  the  transformation.  This  approach 
has  been  successfully  used  in  developing  a  continuation-passing  transformation  pro¬ 
gram  [Danvy,  private  communication]. 

We  gained  simplicity  by  considering  only  the  language  of  the  pure  lambda  cal¬ 
culus.  Following  [Landin  1966]  we  can  represent  (by  adding  primitive  constants  and 
syntactic  sugar)  a  wide  range  of  language  features  (block  structure,  loops,  recursive 
definition,  branching,  assignment,  goto,  escape,  labels,  . . . )  without  invalidating 
our  reduction  rules.  In  fact  any  set  of  rules  that  are  valid  in  the  lambda-c  calcu¬ 
lus  will  have  this  property.  Again  we  lose  information  in  translating  from  a  richer 
language  to  the  lambda  calculus  and  we  may  want  to  consider  more  refined  simplifi¬ 
cation  mechanisms  based  on  richer  languages.  For  example  [Moggi  1989]  treats  let 
as  a  construct  distinct  from  lambda-application  and  gives  a  normalizing  system  of 
let-reductions.  The  system  includes  the  analog  of  beta-value  reduction  and  many 
instances  (but  not  all)  of  our  rearrangement  rules.  It  also  includes  rules  such  as 
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let{x  :=  t)x  e  which  are  not  derivable  in  our  system.  It  will  require  further 
investigation  to  determine  the  relative  merits  of  the  two  sets  of  rules  (and  other 
alternatives)  as  the  basis  of  simplification  systems. 

To  improve  the  usefulness  of  a  generic  simplifier  a  language  is  needed  for  ex¬ 
pressing  information  such  as  that  discussed  above.  One  such  language  is  the  two- 
level  lambda  calculus  [Nielson  1988].  Here  there  are  two  copies  of  each  syntactic 
construct.  The  distinction  can  be  interpreted  as  compile-time  vs  run-time  or  as  ex¬ 
pressing  binding  time  information  [Jones  et  al.  1989].  To  account  for  the  wide  range 
of  information  we  need  to  express  will  require  a  more  general  annotation  language. 

6.4.  Adding  new  rules 

In  addition  to  extending  the  capabilities  of  a  simplifier  by  increasing  the  in¬ 
formation  and  lambda  rules  available  one  may  also  wish  to  add  constants  to  the 
language  and  add  corresponding  delta-rules.  These  might  include  rewriting  rules  for 
an  abstract  data  type,  rules  for  conditional  expressions,  rules  for  updating  opera¬ 
tions  [Mason  and  Talcott  1989a],  or  rules  for  control  operations  [Talcott  1989, 1990]. 
In  general  the  combination  of  two  or  more  terminating  rewriting  systems  does  not 
produce  a  terminating  system.  However,  [Breazu-Tannen  and  Gallier  1989]  studies 
combinations  of  algebraic  term  rewriting  systems  and  polymorphic  lambda  term 
rewriting  and  shows  that  properties  such  as  strong  normalization  and  confluence 
are  preserved  for  a  number  of  combinations. 
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